FS#74747 - [qemu] invalid tls priority string configured
Attached to Project:
Arch Linux
Opened by Thomas Weißschuh (t-8ch) - Saturday, 14 May 2022, 21:06 GMT
Last edited by David Runge (dvzrv) - Saturday, 03 September 2022, 00:18 GMT
Opened by Thomas Weißschuh (t-8ch) - Saturday, 14 May 2022, 21:06 GMT
Last edited by David Runge (dvzrv) - Saturday, 03 September 2022, 00:18 GMT
|
Details
Description:
The qemu package is configured with "--tls-priority=@QEMU,SYSTEM". This is not a valid gnutls priority string [0]. Dropping the --tls-priority configuration will revert to the default priority of "NORMAL" which works. Additional info: * package version: 7.0.0-10 During build configuration: Crypto TLS priority : "@QEMU,SYSTEM" Steps to reproduce: Start a nbdkit server with tls: $ nbdkit --tls-certificates ... -f --tls=required --port=53278 file disk.img Connect to nbdkit: $ qemu-img info --output=json --object tls-creds-x509,id=tls0,endpoint=client,dir=... --image-opts file.driver=nbd,file.host=localhost,file.port=53278,file.tls-creds=tls0 qemu-img: Could not open 'file.driver=nbd,file.host=localhost,file.port=53278,file.tls-creds=tls0': Cannot set default TLS session priority @QEMU,SYSTEM: The request is invalid. [0] https://gnutls.org/manual/html_node/Priority-Strings.html |
This task depends upon
Closed by David Runge (dvzrv)
Saturday, 03 September 2022, 00:18 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with qemu 7.1.0-2
Saturday, 03 September 2022, 00:18 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with qemu 7.1.0-2
They appear to have a distro wide "Crypto Policies" mechanism [1]. They also have a package which implements it [2]. There is some related bedtime reading here [3].
> Dropping the --tls-priority configuration will revert to the default priority of "NORMAL" which works.
Agreed.
[1] https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/
[2] https://gitlab.com/redhat-crypto/fedora-crypto-policies
[3] https://www.berrange.com/posts/2016/11/15/new-tls-algorithm-priority-config-for-libvirt-with-gnutls-on-fedora-25/
On Fedora and derived distros, when building GNUTLS it is told use the system wide crypto policies as the configuration file, using the --with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config arg. @SYSTEM is a default policy always available and @QEMU allows for an optional admin per-host override.
If Arch doesn't want to support any external configuration file or system wide crypto policies, then removing the --tls-priority build time arg to QEMU is the right approach to make it default to GNUTLS hardcoded built-in default "NORMAL".
I'd only caution that this somewhat limits the ability to end users to customize crypto policy strength at runtime, as while there are some runtime args to QEMU for overriding policy these are not well plumbed in across the stack. The system wide crypto policy mechanism is really great for users/admins as a concept.
For the Package Maintainers, I've put up a patch here [1] that includes a fix for this bug (along with 3 others).
[1] https://gitlab.com/-/snippets/2368546
I have removed the --tls-priority option in SVN for now and it will be included in the next pkgrel bump.